Definitely useful, thanks for this! Wes Hargrove Sales and Technical Engineering Support lynda.com Office +1 (805) 755-1437 Mobile +1 (903) 780-1871 whargr...@lynda.com
On Thu, Aug 15, 2013 at 10:12 PM, Robert Oschwald < robertoschw...@googlemail.com> wrote: > +1 > > Am 13.08.2013 um 23:47 schrieb "Ohsie, David" <david.oh...@emc.com>: > > Whenever I try to explain how CAS works to colleagues in EMC, generally or > in specific use cases, I present sequence diagrams. In the past, I’ve > drawn these using Visio, which makes nice-looking diagrams, but the result > is tedious to maintain and also hard to share or integrating into a build > process. Recently, I started to experiment with text->UML tools and I drew > this diagram using plantUML (http://plantuml.sourceforge.net/). Starting > from text, means that you can keep this documentation easily in git, and > you can use maven or many other processes to generate the docs > automatically (much like you do with Markdown). I wondering if the > developers feel that these diagrams would be useful to include with the > documentation. I’m attaching a link, the original “source” and the > resulting picture. (the link is really long; I think that it is a lossless > compression of the plantuml source). I’m thinking a proxy ticketing > diagram might also be useful:**** > > ** ** > > Ridiculously long link:**** > > ** ** > > > http://www.plantuml.com:80/plantuml/img/jLPjJ-D64Fvi_ufHgciFYOJhqZT5X5CIZlGgA15sgclB2Mti3Td3yRgxwr3-VMVN6ySEpij9L4A0xTdPcMUUcMU-KuyyXK6IisiHCvdwlkOwOLqOzWCOIF6ac8I0fmy9QmVy8HKf1EoVdAKHWmjE7oHT-3wDj92G6rEgOE9dL6eUyOoc6bhEISjy6jG_cJi29fVkwx3-TIo5Pf5cCVIpp1gCTnZ0DwIm8RxlztfmoQNIq8yYfXJqUhu_WVOv3A0x4bf0Yw9BlnzflgIQOLm3ytKCNHXz266kTQQw9oTer67_qaMMi4ua5YScqUB060-SjTlsnEax0bSYefgBj5kUZQYgdSNdaqGyyFJzNOfmB7d4UcVyt9g_EUs_8PVuit4XlZaxuUT-Ydc2v0zpxNik8wuWJsckvon5GAW1GGdmlPcGJrJ6W3aQTF4HAbOOOSVtMkx-5c0XvJCWg7J1D9E-jpLp3o-St5u15Xvv4liiZS64vNcU7xCABWMImpgGhma6NHUj_7VekteC2-9U6TzmAUIYXjt4C3GMJ9dGOKwN32ZoERX15Yg5u1GOPf8f10niX0R2HPbkDTSXKkgi3OCkDeBA4lfihhvBAtUNfXF3FaE_BWJvTC7r2zEAtqa9uVWc2FztGfcsJR7-nyW3fPw4Z8yHbTXbZxHvP6X59RFX8C_Cspc3gOYVQpIe03Dq2VGh1BNpOLscWEdsK8X7NioQS3JiXQEmJKv_-F6ddt-vIvkxQfENc7iHOIy8sz-xmozhZkHzqIkHP2OgDzjKCTlU8XcEG1LiyBqYC8XidFWdrPIdogOVscjX974KeOlLyrjCuiZtGcCn2it5njWvX4VsR5lIl3DmA4k-rNND9Aiy35ntZNUFgVSDa5GwT7n0Wpf2_K4J7kEfhwFOjqr5US6xzVH63x1qDoah27WHOkWG3S8ZeBPZG5cn065-sIZMc5KG6wyuHjwzWxy_NL_142k7nVzS192mcRQr1SbqBh6WE0MCMIoYV64w_sdEepaIFKhoc2baVueFiPkW86QWSZk6ZsqbwzJoFPLFls1cHHk9p9oXIVACIMZ9fpackQNKJbFgpV5Ry248Fjxy_l6YrnyC7Po7zaSDSVHQOwEZjObo9Hk-PrlRwVwKHez6IMoIMPQi07ZYUkvC7ItSd0256MOPeY1cCzC5oFyL0FYDPO2pTObO5MsnkWS1ZcDfP6rA9SoaM41SZ5JJMSOo21iX6vVzi1EjWqLzxBojUBy1rRf0bbcELOOFsvn_haSxiUShYb7i8VKMxtGwTeC960wSUBN2X082dD9crIdhODUQGbPkpLA62m-YA78PiQfCbhlD7ahjGgdqMoTKWKxXrmmxevjOpKHWtInBJF5a4LkpM1mCEiRVih3Vkb3AhcurWWnhbClWcu6khOe6PmVy9jAR2oHfs239onMIRACRMQL6NdsB94sgNqM9h1UrNIhy6aiSENoBM-qD9HKmcFNAq3ZkoFPze64RC4D_BJNQgJHk0wbm2m-IsF2LoygIkr-GoPwgxvPauYC5NbkKoS6gN9LEibqxcwIArBNg-kRYlZy9Vxr7dE-3tgS__zglLnljKITfYUxU6xwYwyQaVMvyxXauPEUO9plcF6aUz6HZqly7 > **** > > ** ** > > Image (source comes after the image):**** > > ** ** > > <image001.png>**** > > ** ** > > @startuml**** > > ** ** > > 'skin BlueModern**** > > ** ** > > title: CAS Browser Single-Signon Sequence Diagram**** > > ** ** > > actor user as U**** > > participant "Browser" as B**** > > participant "CAS Server" as C**** > > participant "Protected App" as P**** > > participant "Protected App #2" as P2**** > > ** ** > > ** ** > > == First Access ==**** > > ** ** > > U -> B :Goto "app"**** > > Activate B**** > > B -> P : GET https://app.example.com/**** > > activate P**** > > B <-- P : 302 Location: > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i><https://cas.example.com/cas/login?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp.example.com%2F%3C/i%3E> > **** > > note right**** > > Access is unauthenticated so **** > > forward to CAS for authentication.**** > > "service" query parameter**** > > https://app.example.com/**** > > is URL encoded**** > > end note **** > > deactivate P**** > > ** ** > > B -> C: GET > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i><https://cas.example.com/cas/login?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp.example.com%2F%3C/i%3E> > **** > > activate B**** > > activate C**** > > ** ** > > B <-- C: CAS Login Form**** > > note right**** > > User does not have an SSO Session so **** > > present login form**** > > end note**** > > deactivate C**** > > U <- B: Display CAS\nLogin Form**** > > activate U**** > > U --> B: Submit CAS\nLogin Form**** > > deactivate U**** > > B -> C: POST > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i><https://cas.example.com/cas/login?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp.example.com%2F%3C/i%3E> > **** > > note right**** > > username, password, and login ticket**** > > are POSTed in the body**** > > end note **** > > activate C**** > > C -> C: Authenticate user**** > > B <-- C: Set-Cookie: CASTGC=TGT-2345678\n302 Location: > https://app.example.com/?\nticket=ST-12345678**** > > note right**** > > User is authenticated so create Single-signon (SSO) session > **** > > CASTGC cookie contains the Ticket Granting Ticket (TGT)*** > * > > The TGT is the session key for the users SSO session**** > > end note**** > > deactivate C**** > > deactivate B**** > > ** ** > > B -> P: GET https://app.example.com/?ticket=ST-12345678**** > > activate P**** > > P -> C: GET > https://cas.example.com/serviceValidate?\nservice=<i>https%3A%2F%2Fapp.example.com%2F&\nticket=ST-12345678</i><https://cas.example.com/serviceValidate?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp.example.com%2F&%5Cnticket=ST-12345678%3C/i%3E> > **** > > note right**** > > Protected app validates Service**** > > Ticket (ST) at CAS server over https**** > > end note**** > > activate C**** > > P <-- C: 200 [XML Content]**** > > note left**** > > CAS returns an XML document which includes**** > > an indication of success, the authenticated **** > > subject, and optionally attributes**** > > end note**** > > deactivate C**** > > B <-- P: Set-Cookie: JSESSIONID=ABC1234567\n302 Location: > https://app.example.com/**** > > note right**** > > Set the session cookie and forward **** > > the browser back to the application with **** > > the service ticket stripped off**** > > This optional step prevents the browser **** > > address bar from displaying the ST**** > > end note**** > > deactivate P**** > > B -> P: Cookie: JSESSIONID=ABC1234567 GET https://app.example.com/**** > > activate P**** > > P -> P: Validate session cookie**** > > B <-- P: 200 [Content of https://app.example.com/]**** > > deactivate P**** > > U <-- B: Display "app"**** > > deactivate B**** > > ** ** > > ...**** > > ** ** > > == Second Access To Same Application ==**** > > ** ** > > U-> B: Request resource**** > > activate B**** > > B -> P : Cookie: JSESSIONID=ABC1234567\nGET > https://app.example.com/resource**** > > note right**** > > Session Cookie is sent**** > > along with the request**** > > end note **** > > activate P**** > > P -> P: Validate session cookie**** > > B <-- P : "200 [Resource Content]"**** > > deactivate P**** > > U <-- B : Display resource**** > > deactivate B**** > > ** ** > > ...**** > > ** ** > > == First Access To Second Application ==**** > > ** ** > > U -> B :Goto "app2"**** > > Activate B**** > > B -> P2 : GET https://app2.example.com/**** > > activate P2**** > > B <-- P2 : 302 Location: > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F</i><https://cas.example.com/cas/login?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp2.example.com%2F%3C/i%3E> > **** > > deactivate P2**** > > ** ** > > B -> C: Cookie: CASTGC=TGT-2345678\nGET > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F</i><https://cas.example.com/cas/login?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp2.example.com%2F%3C/i%3E> > **** > > activate B**** > > activate C**** > > C -> C: Validate TGT**** > > B <-- C: Location: https://app2.example.com/?\nticket=ST-345678**** > > note right**** > > CAS validates the TGT so no login is required**** > > end note**** > > deactivate C**** > > deactivate B**** > > ** ** > > B -> P2: GET https://app2.example.com/?ticket=ST-12345678**** > > activate P2**** > > P2 -> C: GET > https://cas.example.com/serviceValidate?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F&\nticket=ST-12345678</i><https://cas.example.com/serviceValidate?%5Cnservice=%3Ci%3Ehttps%3A%2F%2Fapp2.example.com%2F&%5Cnticket=ST-12345678%3C/i%3E> > **** > > activate C**** > > P2 <-- C: 200 [XML Content]**** > > deactivate C**** > > B <-- P2: Set-Cookie: MOD_AUTH_CAS_S=XYZ1234567\n302 Location: > https://app2.example.com/**** > > deactivate P2**** > > B -> P2: Cookie: MOD_AUTH_CAS_S=XYZ1234567 GET https://app2.example.com/** > ** > > activate P2**** > > P2->P2: Validate session cookie**** > > B <-- P2: 200 [Content of https://app2.example.com/]**** > > deactivate P2**** > > U <-- B: Display "app2"**** > > deactivate B**** > > ** ** > > @enduml**** > > ** ** > > ** ** > > ** ** > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > robertoschw...@googlemail.com > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > whargr...@lynda.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
